Reply to Re: [PHP] Storing password in cookie

Your name:

Reply:


Posted by Chris Shiflett on 04/11/05 19:32

Chris Boget wrote:
> > This idea of storing passwords in cookies is absurd.
>
>
> Is the above sentiment true even if you store the password as some sort
> of hash (md5 or otherwise)?

Yes, because passwords offer long-term access. If you accept a hash of
the password for access, then that hash becomes as sensitive as the
password. For example, this is why using client-side scripting to send
the hash of a password in a login form offers no protection.

Most people who inquire about storing access credentials (username and
password, password, hash of the password, etc.) in a cookie want to
provide a persistent login. This is a form of access control that is
temporarily removed by the presence of this cookie, which is difficult
enough to protect without adding in unnecessary risks. Even a temporary
token used in exactly the same manner offers less risk than anything
based upon the password.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация